CVE-2026-12549 - Vulnerability Details

Description

The fix for CVE-2026-2443 was regressed by a subsequent rework commit that replaced specific overflow checks with a general signed comparison. When a client sends a Range request with a suffix length exceeding the content size, the resulting negative start value is not properly clamped, leading to malformed HTTP 206 responses and log flooding.

Published: 2026-06-22

Score: 4.8 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The flaw occurs when libsoup receives a HTTP Range request whose suffix length exceeds the size of the requested content. The library incorrectly computes a negative start index that is not clamped, resulting in malformed partial content responses (HTTP 206) and causing log flooding. This buffer-length error corresponds to CWE-805 and can degrade service availability by exhausting log resources.

Affected Systems

The vulnerability affects the libsoup library embedded in Red Hat Enterprise Linux releases 6, 7, 8, 9, and 10. Organizations running any of these distributions with applications that use libsoup's WebSocket or HTTP Range handling should be aware that the default configuration may be vulnerable until the fix is applied or mitigated.

Risk and Exploitability

The CVSS score of 4.8 indicates a moderate severity, while the EPSS score is currently unavailable, meaning the exploitation probability is not known. The vulnerability is not listed in CISA’s KEV catalog. Because an attacker can trigger the condition by sending crafted HTTP Range requests to any reachable server that uses libsoup, the attack vector is remote over the network. The impact is limited to denial of service through log flooding rather than code execution or data exfiltration.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor	Product	Default status	Versions
Red Hat	Red Hat Enterprise Linux 10	affected	—
Red Hat	Red Hat Enterprise Linux 6	unknown	—
Red Hat	Red Hat Enterprise Linux 7	unknown	—
Red Hat	Red Hat Enterprise Linux 8	affected	—
Red Hat	Red Hat Enterprise Linux 9	affected	—

No data.

No data available yet.

Remediation

Vendor Workaround

To mitigate this issue, applications utilizing libsoup's WebSocket support should ensure that the `max_incoming_payload_size` is explicitly set to a non-zero value. This prevents the library from processing WebSocket frames with an unset or zero maximum payload size, which can lead to out-of-bounds reads. Consult application-specific documentation for configuring libsoup parameters.

OpenCVE Recommended Actions

Upgrade libsoup to a revision that restores the proper negative start value clamping for Range suffix requests, ensuring malformed 206 responses cannot be generated.
Set the application‑specific `max_incoming_payload_size` configuration option for libsoup WebSocket support to a non‑zero value to prevent the library from processing frames with an unset or zero maximum payload size, thereby eliminating the out‑of‑bounds read path.
Continuously monitor server logs for sudden increases in HTTP 206 responses or log volume; if such activity is detected, consider applying rate limiting or additional input validation to mitigate log‑flooding attacks.

Generated by OpenCVE AI on June 22, 2026 at 16:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://access.redhat.com/security/cve/CVE-2026-12549
https://access.redhat.com/security/cve/cve-2026-0716
https://bugzilla.redhat.com/show_bug.cgi?id=2489999
https://gitlab.gnome.org/GNOME/libsoup/-/work_items/516

History

Mon, 22 Jun 2026 15:45:00 +0000

Type	Values Removed	Values Added
Description		The fix for CVE-2026-2443 was regressed by a subsequent rework commit that replaced specific overflow checks with a general signed comparison. When a client sends a Range request with a suffix length exceeding the content size, the resulting negative start value is not properly clamped, leading to malformed HTTP 206 responses and log flooding.
Title		Libsoup: incomplete fix for cve-2026-2443: range suffix overflow in libsoup soupserver
First Time appeared		Redhat Redhat enterprise Linux
Weaknesses		CWE-805
CPEs		cpe:/o:redhat:enterprise_linux:10 cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:8 cpe:/o:redhat:enterprise_linux:9
Vendors & Products		Redhat Redhat enterprise Linux
References		https://access.redhat.com/security/cve/CVE-2026-12549 https://access.redhat.com/security/cve/cve-2026-0716 https://bugzilla.redhat.com/show_bug.cgi?id=2489999 https://gitlab.gnome.org/GNOME/libsoup/-/work_items/516
Metrics		cvssV3_1 `{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L'}`

Subscriptions

Redhat Enterprise Linux

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2026-06-22T13:55:06.896Z

Updated: 2026-06-22T13:55:06.896Z

Reserved: 2026-06-17T18:40:22.117Z

Link: CVE-2026-12549

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-22T16:45:16Z

Weaknesses

CWE-805
Buffer Access with Incorrect Length Value

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact Low

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object